Source: dzone.com
API Security Weekly: Issue #104
Join the DZone community and get the full member experience. A misconfiguration in the Twitter developer portal caused browsers to cache API keys, account access tokens, and account secrets.
To make matters worse, the IDs were also sequential integers, making it possible to enumerate through them, and change settings and retrieve information, such as: This is a classic example of the Broken Object-Level Authorization (BOLA / IDOR) vulnerability, which is the number one in OWASP API Security Top 10).
If your API is hosted in AWS and you use custom domain endpoints, you can upload your certificates and have API clients authenticate that way.
I took part in their latest episode and we had a lovely discussion of API Security, what makes it different from web application security, top threats, most effective counter-measures, and lots of real life stories.
To make matters worse, the IDs were also sequential integers, making it possible to enumerate through them, and change settings and retrieve information, such as: This is a classic example of the Broken Object-Level Authorization (BOLA / IDOR) vulnerability, which is the number one in OWASP API Security Top 10).
If your API is hosted in AWS and you use custom domain endpoints, you can upload your certificates and have API clients authenticate that way.
I took part in their latest episode and we had a lovely discussion of API Security, what makes it different from web application security, top threats, most effective counter-measures, and lots of real life stories.
Related Articles
Community Partners
DevOps Careers